char *get_property_value(PEVT_VARIANT value)
{
if (value->Type == EvtVarTypeNull)
return(NULL);
return(convert_windows_string(value->StringVal));
}
char *get_message(EVT_HANDLE evt, LPCWSTR provider_name, DWORD flags)
{
char *message = NULL;
EVT_HANDLE publisher = NULL;
DWORD size = 0;
wchar_t *buffer = NULL;
int result = 0;
publisher = EvtOpenPublisherMetadata(NULL,
provider_name,
NULL,
0,
0);
if (publisher == NULL) {
log2file(
"%s: ERROR: Could not EvtOpenPublisherMetadata() with flags (%lu) which returned (%lu)",
ARGV0,
flags,
GetLastError());
goto cleanup;
}
/* Make initial call to determine buffer size */
result = EvtFormatMessage(publisher,
evt,
0,
0,
NULL,
flags,
0,
NULL,
&size);
if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
log2file(
"%s: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (%lu) which returned (%lu)",
ARGV0,
flags,
GetLastError());
goto cleanup;
}
if ((buffer = calloc(size, sizeof(wchar_t))) == NULL) {
log2file(
"%s: ERROR: Could not calloc() memory which returned [(%d)-(%s)]",
ARGV0,
errno,
strerror(errno));
goto cleanup;
}
result = EvtFormatMessage(publisher,
evt,
0,
0,
NULL,
flags,
size,
buffer,
&size);
if (result == FALSE) {
log2file(
"%s: ERROR: Could not EvtFormatMessage() with flags (%lu) which returned (%lu)",
ARGV0,
flags,
GetLastError());
goto cleanup;
}
message = convert_windows_string(buffer);
cleanup:
free(buffer);
if (publisher != NULL) {
EvtClose(publisher);
}
return (message);
}
